This guide will go over a few settings that will help to make your Linux environment with NMIS9 more secure and stable.
Set the OMK NMIS9 VM to run services & scripts as user with omkadmin being the owner:group of /usr/local/omk
These steps will allow omkadmin as a user and as a group able to execute OMK scripts. To do this, we will follow the steps below:
To begin, we will find files and directories in /data/omk with setUID bit set
sudo find /data/omk -perm/+4000
Set Cronjobs
We will be sure to set all OMK cronjobs to run as the user omkadmin and not as the root user.
# stop services while we make this change:
sudo /usr/local/omk/bin/checkomkdaemons.sh stop;
# Add approved users, such as nmis, to omkadmin group as needed:
sudo usermod -a -G omkadmin nmis;
# this directory exists on the OMK NMIS9 VM:
OMK_DIR=/data/omk
# Set OMK directory structure writable by group:
sudo chown -R omkadmin:omkadmin "${OMK_DIR:-FAIL_HERE}";
sudo find "${OMK_DIR:-FAIL_HERE}" -type d -exec chmod 0770 {} \;;
# Set user and group able to write files:
sudo find "${OMK_DIR:-FAIL_HERE}" -type f -exec chmod 0660 {} \;;
# Set scripts executable by user and group:
# This command is purely precautionary: this directory is not likely to exist
sudo find "${OMK_DIR:-FAIL_HERE}/script" -type f -exec chmod 0770 {} \;;
# This command is purely precautionary: this directory is not likely to exist
sudo find "${OMK_DIR:-FAIL_HERE}/bin" -type f -exec chmod 0770 {} \;;
OMK_DIR=/usr/local/omk
# These command are exactly as for /data/omk:
# Set OMK directory structure writable by group:
sudo chown -R omkadmin:omkadmin "${OMK_DIR:-FAIL_HERE}";
sudo find "${OMK_DIR:-FAIL_HERE}" -type d -exec chmod 0770 {} \;;
# Set user and group able to write files:
sudo find "${OMK_DIR:-FAIL_HERE}" -type f -exec chmod 0660 {} \;;
# Set scripts executable by user and group:
# This command should succeed: this directory is likely to exist
sudo find "${OMK_DIR:-FAIL_HERE}/script" -type f -exec chmod 0770 {} \;;
# This command should succeed: this directory is likely to exist
sudo find "${OMK_DIR:-FAIL_HERE}/bin" -type f -exec chmod 0770 {} \;;
# The following commands should be executed after any of the the above commands
# to ensure PAR directory structure is re-created with PAR's own permissions set:
# Set sticky bit on $PAR_GLOBAL_TMPDIR directory and only executable by root.
# This is a more secure implementation of the linux /tmp/ directory implementation which also uses
sticky bit, but with chmod 1777:
sudo chmod 1700 "${PAR_GLOBAL_TMPDIR:-FAIL_HERE}";
# Delete existing PAR subdirectories as we may have set incorrect permissions on this directory
structure when executing the previous commands.
# The PAR subdirectories are re-created automatically by PAR upon being deleted (at execution of any PAR
script exe by that user):
sudo rm -rf "${PAR_GLOBAL_TMPDIR:-FAIL_HERE}"/*;
A good check that PAR is working as envisaged is when a normal user can execute OMK PAR exe scripts (other than those scripts that explicitly require execution by sudo with elevated permissions) and when there aren't any directories found of pattern /tmp/par-*/. (Assuming that environment variable "$PAR_GLOBAL_TMPDIR" points to an existing and user accessible directory).